NSA product types

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

The U.S. National Security Agency (NSA) ranks cryptographic products or algorithms by a certification called product types. Product types are defined in the National Information Assurance Glossary (CNSSI No. 4009) which defines Type 1, Type 2, products and Type 3, and Type 4 algorithms.[1]

Type 1 product

A Type 1 product is a device or system certified by NSA for use in cryptographically securing classified U.S. Government information. A Type 1 product is defined as:

Classified or controlled cryptographic item endorsed by the NSA for securing classified and sensitive U.S. Government information, when appropriately keyed. The term refers only to products, and not to information, key, services, or controls. Type 1 products contain approved NSA algorithms. They are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulations.

Type 1 certification is a rigorous process that includes testing and formal analysis of (among other things) cryptographic security, functional security, tamper resistance, emissions security (EMSEC/TEMPEST), and security of the product manufacturing and distribution process.

Type 2 product

Type 2 products are unclassified cryptographic equipment, assemblies, or components, endorsed by the National Security Agency (NSA), for use in telecommunications and automated information systems for the protection of national security information, as defined as "Any telecommunications or information system operated by the United States Government, the function, operation, or use of which: 1. involves intelligence activities; 2. involves cryptologic activities related to national security; 3. involves command and control of military forces; 4. involves equipment that is an integral part of a weapon or weapon system; or 5. is critical to the direct fulfillment of military or intelligence missions and does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 40 U.S.C. Section 1452, Information Technology Management Reform Act of 1996.)" (40 USC 1452)

Type 3 algorithm

A Type 3 algorithm is a device for use with Sensitive, But Unclassified (SBU) information on non-national security systems, defined as "Cryptographic algorithm registered by the National Institute of Standards and Technology (NIST) and published as a Federal Information Processing Standard (FIPS) for use in protecting unclassified sensitive information or commercial information. Approved encryption algorithms include three-key Triple DES, and AES (although AES can also be used in NSA-certified Type 1 products). Approvals for DES, two-key Triple DES and Skipjack have been withdrawn as of 2015.[2]

Type 4 algorithm

A Type 4 algorithm is an encryption algorithm that has been registered with NIST but is not a Federal Information Processing Standard (FIPS). Type 4 algorithms may not be used to protect classified information.

Parts of this article have been derived from Federal Standard 1037C and from the National Information Systems Security Glossary

See also


  1. National Information Assurance Glossary (CNSSI No. 4009), 2003
  2. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST.SP.800-131A Rev1, November 6, 2015, Elaine Barker, Allen Roginsky